Fix CORS for *authenticated* cross-origin requests#299
Open
petersmythe wants to merge 1 commit into
Open
Conversation
Two issues prevented CORS from working with authenticated requests (e.g. Swagger UI 'Try it out', JavaScript clients with Basic Auth): 1. Missing Authorization header in CORS_ALLOWED_HEADERS default: The default did not include 'Authorization', causing Tomcat's CorsFilter to reject preflight requests that declare Access-Control-Request-Headers: authorization. 2. CORS filter-mapping placed after Spring Security: The filter-mapping was appended at the end of web.xml (before </web-app>), which placed it AFTER the filterChainProxy filter-mapping. This meant Spring Security intercepted OPTIONS preflight requests first and returned 401 Unauthorized before the CORS filter could respond with the required headers. Fix: - Add 'Authorization' to the default CORS_ALLOWED_HEADERS env var - Insert the CORS filter-mapping BEFORE filterChainProxy in web.xml so preflight requests are handled before authentication is enforced - Update README.md to reflect the new default
petersmythe
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When
CORS_ENABLED=trueis set without additional configuration, authenticated cross-origin requests (e.g. from Swagger UI or JavaScript clients sendingAuthorizationheaders) fail. This PR fixes two issues that combine to break CORS for any endpoint protected by Spring Security.Problems
Missing
Authorizationin defaultCORS_ALLOWED_HEADERS— The default does not includeAuthorization, so Tomcat's CorsFilter rejects preflight requests that declareAccess-Control-Request-Headers: authorizationwith a 403 Forbidden.CORS filter-mapping placed after Spring Security — The CORS
<filter-mapping>is appended just before</web-app>, placing it AFTERfilterChainProxyin the servlet filter chain. Spring Security intercepts the unauthenticated OPTIONS preflight request first and returns 401 before the CORS filter ever runs.Fix
Authorizationto the defaultCORS_ALLOWED_HEADERSenvironment variable in the Dockerfile.<filter>definition is still appended before</web-app>, but the<filter-mapping>is now inserted BEFORE thefilterChainProxyfilter-mapping so that preflight requests are handled before authentication is enforced.Testing
Verified with
docker.osgeo.org/geoserver:3.0.x:OPTIONS /geoserver/rest/about/manifestwithOriginandAccess-Control-Request-Headers: Authorization→ 401No changes to existing behaviour for non-credentialed requests or when
CORS_ENABLED=false.